So far, the idea of hacking into medical devices has been limited to fiction and hacker demonstrations.
But US regulators and security experts say the threat is real: malicious actors can gain access to devices ranging from pacemakers to insulin pumps, with potentially fatal results.
The US Food and Drug Administration this month warned manufacturers to step up their vigilance, saying it has learned of “cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations.”
Officials say they know of no deliberate hacking of medical devices. But on the television drama “Homeland”, the Vice President of the United States is assassinated by hackers, who gain access to his pacemaker and deliver a fatal electric shock.
“The good news is that we are not aware of any incidents in the real world. But the bad news there is no science behind looking for it,” said Kevin Fu, a University of Michigan professor of computer science specialising in health security. “It takes just a blink of the eye for malware to get in.”
Fu co-authored a 2008 research paper highlighting the risks of implantable devices like cardiac defibrillators that could be reprogrammed by hackers, who get into the system’s wireless network.
“My opinion is that the greater risk is from malware that accidentally gets into a device, rather than the attacks in fictionalised programmes,” Fu said.
“Malware will often slow down a computer and when you slow down a medical device, it no longer gives the integrity needed to perform as it should.” Barnaby Jack at the security firm, “IOActive”, said the “Homeland” scenario was “fairly realistic”, and that he would demonstrate a similar attack at an upcoming hacker gathering. “In ‘Homeland,’ they required a serial number, my demonstration does not,” he said.
Jack has been researching implantable medical devices such as pacemakers and defibrillators from a major manufacturer, and said that he has found the devices “to be particularly vulnerable.”
In another publicised incident, security specialist Jay Radcliffe, who is diabetic, demonstrated in 2011 the potential to hack into an insulin pump to change dosage levels.
Security specialists say that in addition to implanted devices, hospital equipment such as monitoring systems, scanners and radiation equipment are connected to networks that could have lax security, creating similar security holes. Some heart and drug monitoring systems use open Wi-Fi connections that can be hacked.
“The vast majority of medical devices in hospitals I’ve been to use Windows XP or Windows 95. These are extremely vulnerable to computer malware,” Fu said.
“Attacks or insertion of malware could affect things like radiation therapy, or devices that mix nutrients for intravenous delivery,” he said. Medical devices and equipment may have passwords, but these can be hacked as well, as shown in a recent report by the security firm “Cylance”, which obtained passwords to 300 different devices.
“We could have reported 1,000 different backdoor passwords, we could have even gone all the way to 10,000,” said a blog post from Cylance’s Billy Rios and Terry McCorkle. “We stopped at 300 because we felt 300 was sufficient to get our point across.”
    The writer is a freelance columnist.
    This article has been reprinted
    from The Arab News.